dependabot-core 0.76.1

data/lib/dependabot/update_checkers/java_script/npm_and_yarn.rb

@@ -0,0 +1,280 @@
+# frozen_string_literal: true
+
+require "dependabot/git_commit_checker"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module UpdateCheckers
+    module JavaScript
+      class NpmAndYarn < Dependabot::UpdateCheckers::Base
+        require_relative "npm_and_yarn/requirements_updater"
+        require_relative "npm_and_yarn/library_detector"
+        require_relative "npm_and_yarn/latest_version_finder"
+        require_relative "npm_and_yarn/version_resolver"
+        require_relative "npm_and_yarn/subdependency_version_resolver"
+
+        def latest_version
+          @latest_version ||=
+            if git_dependency?
+              latest_version_for_git_dependency
+            else
+              latest_version_details&.fetch(:version)
+            end
+        end
+
+        def latest_resolvable_version
+          return unless latest_version
+
+          @latest_resolvable_version ||=
+            if dependency.top_level?
+              version_resolver.latest_resolvable_version
+            else
+              # If the dependency is indirect its version is constrained  by the
+              # requirements placed on it by dependencies lower down the tree
+              subdependency_version_resolver.latest_resolvable_version
+            end
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          return latest_resolvable_version unless dependency.top_level?
+
+          if git_dependency?
+            return latest_resolvable_version_with_no_unlock_for_git_dependency
+          end
+
+          latest_version_finder.latest_resolvable_version_with_no_unlock
+        end
+
+        def updated_requirements
+          resolvable_version =
+            if latest_resolvable_version.is_a?(version_class)
+              latest_resolvable_version.to_s
+            elsif latest_resolvable_version.nil?
+              nil
+            else
+              latest_version_details&.fetch(:version, nil)&.to_s
+            end
+
+          @updated_requirements ||=
+            RequirementsUpdater.new(
+              requirements: dependency.requirements,
+              updated_source: updated_source,
+              latest_version:
+                latest_version_details&.fetch(:version, nil)&.to_s,
+              latest_resolvable_version: resolvable_version,
+              update_strategy: requirements_update_strategy
+            ).updated_requirements
+        end
+
+        def requirements_update_strategy
+          # If passed in as an option (in the base class) honour that option
+          if @requirements_update_strategy
+            return @requirements_update_strategy.to_sym
+          end
+
+          # Otherwise, widen ranges for libraries and bump versions for apps
+          library? ? :widen_ranges : :bump_versions
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          return unless latest_version
+
+          # No support for full unlocks for subdependencies yet
+          return false unless dependency.top_level?
+
+          version_resolver.latest_version_resolvable_with_full_unlock?
+        end
+
+        def updated_dependencies_after_full_unlock
+          version_resolver.dependency_updates_from_full_unlock.
+            map { |update_details| build_updated_dependency(update_details) }
+        end
+
+        def build_updated_dependency(update_details)
+          original_dep = update_details.fetch(:dependency)
+
+          Dependency.new(
+            name: original_dep.name,
+            version: update_details.fetch(:version).to_s,
+            requirements: RequirementsUpdater.new(
+              requirements: original_dep.requirements,
+              updated_source: original_dep == dependency ? updated_source : nil,
+              latest_version: update_details[:version].to_s,
+              latest_resolvable_version: update_details[:version].to_s,
+              update_strategy: requirements_update_strategy
+            ).updated_requirements,
+            previous_version: original_dep.version,
+            previous_requirements: original_dep.requirements,
+            package_manager: original_dep.package_manager
+          )
+        end
+
+        def latest_resolvable_version_with_no_unlock_for_git_dependency
+          reqs = dependency.requirements.map do |r|
+            next if r.fetch(:requirement).nil?
+
+            requirement_class.requirements_array(r.fetch(:requirement))
+          end.compact
+
+          return dependency.version if git_commit_checker.pinned?
+
+          # TODO: Really we should get a tag that satisfies the semver req
+          return dependency.version if reqs.any?
+
+          git_commit_checker.head_commit_for_current_branch
+        end
+
+        def latest_version_for_git_dependency
+          @latest_version_for_git_dependency ||=
+            begin
+              latest_release = latest_version_finder.
+                               latest_version_details_from_registry
+
+              # If there's been a release that includes the current pinned ref
+              # or that the current branch is behind, we switch to that release.
+              if git_branch_or_ref_in_release?(latest_release&.fetch(:version))
+                latest_release.fetch(:version)
+              else
+                latest_git_version_details[:sha]
+              end
+            end
+        end
+
+        def should_switch_source_from_git_to_registry?
+          return false unless git_dependency?
+          return false if latest_version_for_git_dependency.nil?
+
+          version_class.correct?(latest_version_for_git_dependency)
+        end
+
+        def git_branch_or_ref_in_release?(release)
+          return false unless release
+
+          git_commit_checker.branch_or_ref_in_release?(release)
+        end
+
+        def latest_version_details
+          @latest_version_details ||=
+            if git_dependency? && !should_switch_source_from_git_to_registry?
+              latest_git_version_details
+            else
+              latest_version_finder.latest_version_details_from_registry
+            end
+        end
+
+        def latest_version_finder
+          @latest_version_finder ||=
+            LatestVersionFinder.new(
+              dependency: dependency,
+              credentials: credentials,
+              dependency_files: dependency_files,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def version_resolver
+          @version_resolver ||=
+            VersionResolver.new(
+              dependency: dependency,
+              credentials: credentials,
+              dependency_files: dependency_files,
+              latest_allowable_version: latest_version,
+              latest_version_finder: latest_version_finder
+            )
+        end
+
+        def subdependency_version_resolver
+          @subdependency_version_resolver ||=
+            SubdependencyVersionResolver.new(
+              dependency: dependency,
+              credentials: credentials,
+              dependency_files: dependency_files,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def git_dependency?
+          git_commit_checker.git_dependency?
+        end
+
+        def latest_git_version_details
+          semver_req =
+            dependency.requirements.
+            find { |req| req.dig(:source, :type) == "git" }&.
+            fetch(:requirement)
+
+          # If there was a semver requirement provided or the dependency was
+          # pinned to a version, look for the latest tag
+          if semver_req || git_commit_checker.pinned_ref_looks_like_version?
+            latest_tag = git_commit_checker.local_tag_for_latest_version
+            return {
+              sha: latest_tag&.fetch(:commit_sha),
+              version: latest_tag&.fetch(:tag)&.gsub(/^[^\d]*/, "")
+            }
+          end
+
+          # Otherwise, if the gem isn't pinned, the latest version is just the
+          # latest commit for the specified branch.
+          unless git_commit_checker.pinned?
+            return { sha: git_commit_checker.head_commit_for_current_branch }
+          end
+
+          # If the dependency is pinned to a tag that doesn't look like a
+          # version then there's nothing we can do.
+          { sha: dependency.version }
+        end
+
+        def updated_source
+          # Never need to update source, unless a git_dependency
+          return dependency_source_details unless git_dependency?
+
+          # Source becomes `nil` if switching to default rubygems
+          return nil if should_switch_source_from_git_to_registry?
+
+          # Update the git tag if updating a pinned version
+          if git_commit_checker.pinned_ref_looks_like_version? &&
+             !git_commit_checker.local_tag_for_latest_version.nil?
+            new_tag = git_commit_checker.local_tag_for_latest_version
+            return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          end
+
+          # Otherwise return the original source
+          dependency_source_details
+        end
+
+        def library?
+          return true unless dependency.version
+          return true if dependency_files.any? { |f| f.name == "lerna.json" }
+
+          @library =
+            LibraryDetector.new(package_json_file: package_json).library?
+        end
+
+        def dependency_source_details
+          sources =
+            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+          sources.first
+        end
+
+        def package_json
+          @package_json ||=
+            dependency_files.find { |f| f.name == "package.json" }
+        end
+
+        def git_commit_checker
+          @git_commit_checker ||=
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials
+            )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java_script/npm_and_yarn/latest_version_finder.rb

@@ -0,0 +1,342 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/update_checkers/java_script/npm_and_yarn"
+require "dependabot/update_checkers/java_script/npm_and_yarn/registry_finder"
+require "dependabot/utils/java_script/version"
+require "dependabot/utils/java_script/requirement"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module JavaScript
+      class NpmAndYarn
+        class LatestVersionFinder
+          class RegistryError < StandardError; end
+
+          def initialize(dependency:, credentials:, dependency_files:,
+                         ignored_versions:)
+            @dependency       = dependency
+            @credentials      = credentials
+            @dependency_files = dependency_files
+            @ignored_versions = ignored_versions
+          end
+
+          def latest_version_details_from_registry
+            return nil unless npm_details&.fetch("dist-tags", nil)
+
+            dist_tag_version = version_from_dist_tags(npm_details)
+            return { version: dist_tag_version } if dist_tag_version
+            return nil if specified_dist_tag_requirement?
+
+            { version: version_from_versions_array }
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            raise if dependency_registry == "registry.npmjs.org"
+            # Custom registries can be flaky. We don't want to make that
+            # our problem, so we quietly return `nil` here.
+          end
+
+          def latest_resolvable_version_with_no_unlock
+            return unless npm_details
+
+            if specified_dist_tag_requirement?
+              return version_from_dist_tags(npm_details)
+            end
+
+            reqs = dependency.requirements.map do |r|
+              Utils::JavaScript::Requirement.
+                requirements_array(r.fetch(:requirement))
+            end.compact
+
+            possible_versions.
+              find do |version|
+                reqs.all? { |r| r.any? { |opt| opt.satisfied_by?(version) } } &&
+                  !yanked?(version)
+              end
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            raise if dependency_registry == "registry.npmjs.org"
+            # Sometimes custom registries are flaky. We don't want to make that
+            # our problem, so we quietly return `nil` here.
+          end
+
+          def possible_versions
+            npm_details.fetch("versions", {}).
+              reject { |_, details| details["deprecated"] }.
+              keys.map { |v| version_class.new(v) }.
+              reject { |v| v.prerelease? && !related_to_current_pre?(v) }.
+              reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }.
+              sort.reverse
+          end
+
+          def possible_versions_with_details
+            npm_details.fetch("versions", {}).
+              reject { |_, details| details["deprecated"] }.
+              transform_keys { |k| version_class.new(k) }.
+              reject { |k, _| k.prerelease? && !related_to_current_pre?(k) }.
+              reject { |k, _| ignore_reqs.any? { |r| r.satisfied_by?(k) } }.
+              sort_by(&:first).reverse
+          end
+
+          private
+
+          attr_reader :dependency, :credentials, :dependency_files,
+                      :ignored_versions
+
+          def version_from_dist_tags(npm_details)
+            dist_tags = npm_details["dist-tags"].keys
+
+            # Check if a dist tag was specified as a requirement. If it was, and
+            # it exists, use it.
+            dist_tag_req = dependency.requirements.
+                           find { |r| dist_tags.include?(r[:requirement]) }&.
+                           fetch(:requirement)
+
+            if dist_tag_req
+              tag_vers =
+                version_class.new(npm_details["dist-tags"][dist_tag_req])
+              return tag_vers unless yanked?(tag_vers)
+            end
+
+            # Use the latest dist tag unless there's a reason not to
+            return nil unless npm_details["dist-tags"]["latest"]
+
+            latest = version_class.new(npm_details["dist-tags"]["latest"])
+
+            wants_latest_dist_tag?(latest) ? latest : nil
+          end
+
+          def related_to_current_pre?(version)
+            current_version = dependency.version
+            if current_version &&
+               version_class.correct?(current_version) &&
+               version_class.new(current_version).prerelease? &&
+               version_class.new(current_version).release == version.release
+              return true
+            end
+
+            dependency.requirements.any? do |req|
+              next unless req[:requirement]&.match?(/\d-[A-Za-z]/)
+
+              Utils::JavaScript::Requirement.
+                requirements_array(req.fetch(:requirement)).
+                any? do |r|
+                  r.requirements.any? { |a| a.last.release == version.release }
+                end
+            rescue Gem::Requirement::BadRequirementError
+              false
+            end
+          end
+
+          def specified_dist_tag_requirement?
+            dependency.requirements.any? do |req|
+              next false if req[:requirement].nil?
+
+              req[:requirement].match?(/^[A-Za-z]/)
+            end
+          end
+
+          def wants_latest_dist_tag?(latest_version)
+            ver = latest_version
+            return false if related_to_current_pre?(ver) ^ ver.prerelease?
+            return false if current_version_greater_than?(ver)
+            return false if current_requirement_greater_than?(ver)
+            return false if ignore_reqs.any? { |r| r.satisfied_by?(ver) }
+            return false if yanked?(ver)
+
+            true
+          end
+
+          def current_version_greater_than?(version)
+            return false unless dependency.version
+            return false unless version_class.correct?(dependency.version)
+
+            version_class.new(dependency.version) > version
+          end
+
+          def current_requirement_greater_than?(version)
+            dependency.requirements.any? do |req|
+              next false unless req[:requirement]
+
+              req_version = req[:requirement].sub(/^\^|~|>=?/, "")
+              next false unless version_class.correct?(req_version)
+
+              version_class.new(req_version) > version
+            end
+          end
+
+          def version_from_versions_array
+            possible_versions.find { |version| !yanked?(version) }
+          end
+
+          def yanked?(version)
+            @yanked ||= {}
+            return @yanked[version] if @yanked.key?(version)
+
+            @yanked[version] =
+              begin
+                version_not_found =
+                  Excon.get(
+                    dependency_url + "/#{version}",
+                    SharedHelpers.excon_defaults.merge(
+                      headers: registry_auth_headers,
+                      idempotent: true
+                    )
+                  ).status == 404
+                version_not_found && version_endpoint_working?
+              rescue Excon::Error::Timeout
+                # Give the benefit of the doubt if the registry is playing up
+                false
+              end
+          end
+
+          def version_endpoint_working?
+            return true if dependency_registry == "registry.npmjs.org"
+
+            if defined?(@version_endpoint_working)
+              return @version_endpoint_working
+            end
+
+            @version_endpoint_working =
+              begin
+                Excon.get(
+                  dependency_url + "/latest",
+                  SharedHelpers.excon_defaults.merge(
+                    headers: registry_auth_headers,
+                    idempotent: true
+                  )
+                ).status < 400
+              rescue Excon::Error::Timeout
+                # Give the benefit of the doubt if the registry is playing up
+                true
+              end
+          end
+
+          def npm_details
+            return @npm_details if @npm_details_lookup_attempted
+
+            @npm_details_lookup_attempted = true
+            @npm_details ||=
+              begin
+                npm_response = fetch_npm_response
+
+                check_npm_response(npm_response)
+                JSON.parse(npm_response.body)
+              rescue JSON::ParserError, Excon::Error::Timeout,
+                     RegistryError => error
+                retry_count ||= 0
+                retry_count += 1
+                raise_npm_details_error(error) if retry_count > 2
+                sleep(rand(3.0..10.0)) && retry
+              end
+          end
+
+          def fetch_npm_response
+            response = Excon.get(
+              dependency_url,
+              SharedHelpers.excon_defaults.merge(
+                headers: registry_auth_headers,
+                idempotent: true
+              )
+            )
+
+            return response unless response.status == 500
+            return response unless registry_auth_headers["Authorization"]
+
+            auth = registry_auth_headers["Authorization"]
+            return response unless auth.start_with?("Basic")
+
+            decoded_token = Base64.decode64(auth.gsub("Basic ", ""))
+            return unless decoded_token.include?(":")
+
+            username, password = decoded_token.split(":")
+            Excon.get(
+              dependency_url,
+              SharedHelpers.excon_defaults.merge(
+                user: username,
+                password: password,
+                idempotent: true
+              )
+            )
+          end
+
+          def check_npm_response(npm_response)
+            return if git_dependency?
+
+            if private_dependency_not_reachable?(npm_response)
+              raise PrivateSourceAuthenticationFailure, dependency_registry
+            end
+
+            status = npm_response.status
+            return if status.to_s.start_with?("2")
+
+            # Ignore 404s from the registry for updates where a lockfile doesn't
+            # need to be generated. The 404 won't cause problems later.
+            return if status == 404 && dependency.version.nil?
+
+            msg = "Got #{status} response with body #{npm_response.body}"
+            raise RegistryError, msg
+          end
+
+          def raise_npm_details_error(error)
+            raise if dependency_registry == "registry.npmjs.org"
+            raise unless error.is_a?(Excon::Error::Timeout)
+
+            raise PrivateSourceTimedOut, dependency_registry
+          end
+
+          def private_dependency_not_reachable?(npm_response)
+            # Check whether this dependency is (likely to be) private
+            if dependency_registry == "registry.npmjs.org" &&
+               !dependency.name.start_with?("@")
+              return false
+            end
+
+            [401, 402, 403, 404].include?(npm_response.status)
+          end
+
+          def dependency_url
+            registry_finder.dependency_url
+          end
+
+          def dependency_registry
+            registry_finder.registry
+          end
+
+          def registry_auth_headers
+            registry_finder.auth_headers
+          end
+
+          def registry_finder
+            @registry_finder ||=
+              RegistryFinder.new(
+                dependency: dependency,
+                credentials: credentials,
+                npmrc_file: dependency_files.
+                            find { |f| f.name.end_with?(".npmrc") },
+                yarnrc_file: dependency_files.
+                             find { |f| f.name.end_with?(".yarnrc") }
+              )
+          end
+
+          def ignore_reqs
+            ignored_versions.
+              map { |req| Utils::JavaScript::Requirement.new(req.split(",")) }
+          end
+
+          def version_class
+            Utils::JavaScript::Version
+          end
+
+          # TODO: Remove need for me
+          def git_dependency?
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials
+            ).git_dependency?
+          end
+        end
+      end
+    end
+  end
+end